Nice one this PyPy, I'll test this soon =) thanks! Em domingo, 15 de abril de 2012 07h58min41s UTC-3, Kevin escreveu: > > Check out PyPy Sandboxing, it may be your best bet: > > http://pypy.org/features.html#sandboxing > > > On Saturday, 14 April 2012 11:45:41 UTC-5, Arruda wrote: >> >> Hi there, I'm doing a system where I want the users to be able to >> set/change some scripts that are dynamically run(RPG like scripts). >> So a user can change the way the Kill_a_player script is run. >> >> I thought of doing this by using exec, like this: >> >> >> class Script(models.Model): >>> script_py = models.TextField(u"Script Python") >>> >>> class Meta: >>> app_label = 'scripts' >> >> >> >> >> >> def run(self,**kwargs): >>> ret= None >>> #prepares the args >>> for key, val in kwargs.items(): >>> exec("%s = val"%key) >>> exec(self.script_py) >>> return ret >> >> >> So that I can do: >> >> s = Script() >> >> s.script_py = """character.kill(another_character) >> >> character.win_exp() >> >> ret = character.lvl""" >> >> >> >> new_lvl = s.run(character = some_player, another_character = >>> another_player) >> >> >> This all works just fine, but the problem is the security risk of the >> exec... >> So the user could do: >> >>> s.script_py = "import os; os.system('shutdown -P 0') >> >> >> And that's the smallest problem... >> So I was thinking if there is already something like that implemented, >> and that I can add to my project easily, and found this PythonScript from >> Zope, that does something like that. >> >> I just don't know if that is easily portable to another project, and if >> I'm going to get what I want using this(let the users change the way the >> script is ran). There is not much use if the users can only do : *"a + b >> = c"* >> * >> * >> I also came across this post http://lybniz2.sourceforge.net/safeeval.html >> and >> was thinking if there is something like that in exec. >> I friend of mine also have said that you can limit what the users can >> import and use in some function(that I don't remember now). >> >> Thanks for the help. >> >
-- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/gIVIbdtr7-4J. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
